Posted
by
Unknown Lamer
on Tuesday November 08, 2011 @08:04AM
from the license-required-to-surf dept.

hessian writes with an article in Wired about the problems facing the U.S. Government's networks in an increasingly hostile world. From the article: "The Pentagon's far-out research agency and its brand new military command for cyberspace have a confession to make. They don't really know how to keep U.S. military networks secure. And they want to know: Could you help them out? DARPA convened a 'cyber colloquium' at a swank northern Virginia hotel on Monday for what it called a 'frank discussion' about the persistent vulnerabilities within the Defense Department's data networks. The Pentagon can't defend those networks on its own, the agency admitted."

Actually if you wanted real USB security you'd open the system pull the wires off the headers then epoxy/clip the header so no one could open the system and add a stealth usb port to the header. Keep in mind there are anywhere from 1-6 sets of headers on the motherboard and a few minutes of work would allow someone to attach usb devices whenever they wanted.

Then you run into problems with data that needs updating, like say, a map. Putting it on CD/DVD only works until malware realizes it needs to embed itself on said media, and once it has, there's nothing to prevent another stuxnet-like attack.

If data needs to flow somehow between airgapped networks, you're screwed. Doesn't matter if you use a data diode, physical separation, etc. As long as there is some way that data needs to go from an insecure network or inse

Darpa convened a “cyber colloquium” at a swank northern Virginia hotel on Monday for what it called a “frank discussion” about the persistent vulnerabilities within the Defense Department’s data networks.

Well there's your problem! The ones at the forefront of breaking-into-electronic-systems-in-interesting-ways aren't the usual crowd the DoD are used to wooing (heads of industry, academic engineers, the conference-at-swanky-hotel crowd) but people working out of their basements fiddling with things for the fun of it.

If they want a real assessment, offer a honeypot network with some stand-in data, and set a prize for whoever can get it and tell them how.

We used to use tiger teams - hell, maybe we still do. A group of professionals that would try to break into government facilities or steal data. I think the best way to secure the systems would be to have the best people we can spare try to break into them and then recommend how we can make it harder for them.

The Army still employs the Red Team, Blue Team model as well. There is a Warrant Officer billet for it. The few that I have met weren't terribly competent though. They were the one's who were persistent enough to hang around and get into the "cool" program. (Although my sample size is slightly more than a handful of reservists.)

Normally I'd avoid getting all "this one's better than that one", particularly since I come from an Army family, but it does seem like the NSA's team is the group you hear all the spook-ish stories about. And I assume they recruit reliable and talented people from the various branches.

That fact that this kind of shit is happening means that they are either ineffective, understaffed, or both.

I mean, isn't one of the best tests of security by attempting to break into it? If we don't constantly test ourselves, we'll get complacent and shit like this happens. How long will it be before a foreign government fires off a missile or de-orbits a satellite?

If they want a real assessment, offer a honeypot network with some stand-in data, and set a prize for whoever can get it and tell them how.

No, that's exactly what everybody's doing now - an endless game of find-and-patch whack-a-mole. That's not DARPA, it's Norton anti-virus.

What they want is to go back to first principles for a fresh start, to preclude as many attacks as possible from arising in the first place. How possible that is, nobody really knows. I'm afraid it will be determined that there

OK. Write your own operating system from scratch. You can use Linux or BSD as a model, but change all the system calls, factor things differently, and use a language that will prohibit wild pointers. There's a dialect of D (Digital Mars D) that would work. There's also supposed to be a dialect of Ada, but I don't know enough about it to be sure. DON'T use C or C++, as you can't secure array boundaries.

Then write your own network protocol. You can use IP as a guide, but change everything. I'm not just

You're proposing something that's quite secure, but not *really* secure. Nobody has ever written the kind of system I proposed, because **it would be an incredible amount of work**. And you are proposing standard IP, which has known problems. E.g., you can't be sure who is on the other end of the line.

POSIX can't be used for real security, because it's got known holes. They aren't large, but they are there. SELinux is better in certain areas, but it's only better, not really secure.

Thats what VPNs and ACLs are for. You dont think you could securely configure VPNs and ACLs for less than it would cost for a parallel infrastructure? What happens when someone bridges a wifi device onto your network?

Which is why we have things like PKI infrastructures, pre-shared keys, and RSA tokens. At least there you know what the threat is, and can fortify around it.

Im not sure Ive ever heard of a scenario where someone broke into a secure network by bruteforcing both the PKS and the secondary form of authentication; invariably, breaches are because someone made a stupid mistake like getting a virus, or by letting someone walk out with un-secured media, or connecting a wifi device to the secured network.

I love those faculty and sysadmin types here who expect us to write these hideously involuted Access Control Lists on our routers to make up for their steadfast desire to avoid actually administering their systems. (*eyeroll*)

You're correct... and nobody things that hosts can be secure, because our current conception of security is that it makes something unusable. It doesn't have to be that way, and I've pointed that out many times, but preaching about capability based security to this choir just doesn't work.

Probably not too much, in an achitectural sense. Probably a lot, but not a terribly surprising lot, in an institutional sense.

Building impressively secure systems(while by no means easy, it is serious software engineering and/or comp sci) is something that people can do and have done.Building impressively secure systems that aren't wildly expensive and wholly incompatible with the shoddy-but-feature-rich crap that people like to buy is substantially harder.
Building impressively secure systems that aren'

If you walk into any given government office what do you expect to see on their monitors? I don't think it's Linux. That's one of the things they need to fix. Dump Windows. Yah, just blaming everything on Windows would be a troll, there is certainly more to security than that. Any OS and the applications must be configured correctly, the network itself must be secured, all that is true. Still, there is little good to be said about Windows security. Having it on the networks automatically makes the netw

Start using systems that were designed to be secure in the first place. Stuff that works on a "deny by default" basis, that refuse to process any data that it doesn't understand, use OCSP as a white list on the CA side, defence in depth: use strict validation of input on multiple levels (when making web app: using default deny application firewal, then strict validation in form processing and finally use modular application design that validates data received from other modules) and so on.

This will require throwing away most, if not all, software in use. Including OSs, probably even Linux as I'm not sure if SELinux (or other such systems) go deep enough on the kernel side. Then making new software from scratch with primary design objective to be secure. As no politician or PHB can justify spending this amount of money on such nebulous concept as security, the whole idea will fail. Because this won't eliminate, just reduce the number of security related bugs, won't help the cause.

We have to start by teaching new programmers how to make secure systems first (and I repeat, systems, not just programs) and just then how to program.

I wish I had some mod points to mod parent up. I would also suggest they remove the bureaucracy involved in the C&A and pen testing phases. Anyone who's ever been a part of the process can clearly see what little value is added against APT.

Well, if running pentest is only a first step in evaluating security of the system (after all it verifies if its secure against most common attacks) and throw it away as soon as it fails it, I'd say it adds large value.

I completely agree, test and patch doesn't work, if it did sendmail and IE would be the most secure software packages in existence.

It's B1 in the old (stringent) rating scheme, and can be configured to provide a lot of protection against theft of data, via
- mandatory access controls (not changeable by the process or user)
- secure path (knowing it's really you at the keyboard)
- covert channel analysis (genuinely hard, this is often "ongoing")
- audit (which eventually runs you out of disk (;-))

There is some protection against attack, but more or less as a side-effect of protecting against spies leaving with data.

AFAIK SELinux can protect you from attack only from user-space. It won't help for attack on kernel itself (it's important if we want secure networks). But then I'm not sure if any system in a monolithic kernel would be able to do this. On the other hand, monolithic kernels are the only OS kernels that actually work outside academics. This would suggest that the highest security rating a general purpose OS can have is B1...

My prediction... any OS or other software written by security experts with security as it's number 1 goal would be worthless. It probably wouldn't allow real people in real situations to get any work done, or if it did it would require them to go through convoluted productivity limiting steps to do so. I suspect any computer running such an OS would be about as useful as a pet rock.

What is needed is more well rounded professionals that understand both security and user's needs. I don't think our curren

Control characters are limited to first 127 ASCII characters in UTF-8. Any of those characters encoded as multi byte character, which is possible, is not valid UTF-8. You may not know how to render all characters, but you definitely can sanitize UTF-8 input: list of all characters that can be rendered by a given font is finite.

If you have a workstation commissioned to run 2 or 3 very specific jobs (entering recruits data, administering SCADA system, piloting UAVs, etc.) it can be relatively easily secured even now. Unless it has to have access to web (with its Flash, HTML5, Java and ActiveX) it's impossible to secure if you don't use purpose build browser (that disables most of functionality). Of course in any scenario, a user can't be able to install new software or use f

The Internet was designed to be damage tolerant, not secure. So it is fundamentally the wrong design for a secure system. Instead, the current internet does it's best to *deliver* data. So likely their best choice is to build a new network from the ground up, designed to be secure. That probably means *not* based on the Internet Protocol.

We have to start by teaching new programmers how to make secure systems first (and I repeat, systems, not just programs) and just then how to program.

This theory can be applied to so many things when it comes to programming and designing. Many web applications are designed by designers, and security is never a consideration. Security awareness is increasing though, but it will take time to spread this knowledge through the industry.

Securing the network on Windows is just about impossible. It was originally designed when computer security was nothing but a far-out concept and attempts to retrofit security into it without tossing out the basic design have been unsuccessful so far, actually securing it would require a silly level of hacked-up modification (try to prevent wifi dual-homing, I dare you). Toss out Windows, start with a custom Linux distro and go from there. Network-booting machines secured with in-house-administered TPM will be extremely hard to break into. Allow centralized control of all software so that any change to a computer's OS that wasn't signed off on by the IT department sets off the biggest red flag in the world.

It can be done but not while trying to pussyfoot around with commercial consumer-grade toys.

I don't see why you think that's funny - we're talking capital-S security with DARPA here. Relying on encryption to keep your broadcasted-to-anyone-in-the-neighborhood data safe is clearly strictly less secure than not broadcasting your data in the first place.
And don't think that I'm limiting myself to WiFi when I mean "broadcasting" - just audio could be enough to compromise security: https://freedom-to-tinker.com/blog/felten/acoustic-snooping-typed-information [freedom-to-tinker.com].

Come on, Android is hardly Linux, the Linux-based kernel isn't even compatible with the mainline Linux kernel. Apart from that distinction, it's about as far from a locked-down security-centric distro as you can get.

And yes you can lock down Windows with an insane amount of work, but why not put that work towards a more fundamental and long-term solution, instead of slapping armor onto a vulnerable black box that was never designed to do the job?

While I agree with your conclusion, that Windows is hopeless I question your logic. Linux is a Unix clone which is older than Windows. Certainly decent security can be added onto an existing OS. The difference is more the environment in which the two are developed, not when they were originally designed in relation to when network security became important.

Unix was designed with security in mind. It was designed to run as a multi-user system on college campuses, with lots of snoopy students...or students that wanted extra time to complete their projects.

MSDos intentionally stripped out all the security, in order to run more efficiently on minimally powered single user computers. The security didn't even START getting added back in for nearly a decade, and then it was mainly PR gestures.

It's not just the age of the system, it's the history. Every time MSWin

The core problem for the US government, and whichever of the many branches that is taking responsibility for this or that part of the government's cyber infrastructure, is a lack of pervasive talent among the staff. In order to attract talented staff, it is essential to have a very transparent mission and vision for an organization. Is the US government really committed to securing the infrastructure?

out good tech people or force them to be mangers and then on to some other post.

Also alot of tech people are to old for the military others don't have the mine set to make it though a military boot camp. If some of it needs to be military maybe then it's needs a special rank systems so techs are not forced to start at private pay and officers should not be the same way as the rest of the military is.

Also have a special boot camp say maybe little to no exercise part, no forced gun trading, no other battle fi

Well if you look at the Chinese attacks they are all based on spear phishing. So what you need to secure is prevent people from running code sent to them via emails. Its really easy to do - simply enforce whitelists - not blacklists, whitelists. For example, the OS should refuse to run unsigned exe files - not simply ask you if you're sure, but actually tell you that you can't, period. And by unsigned I mean anything not signed with the private keys of your organization. Also, make a whitelist of domain na

Security seems to be extra vulnerable to fraud. Many times, I saw military customers wooed by vendors who are perfectly willing to give them a load of bull about how they can't explain why their devices, software, and ideas are secure, because that would compromise the security. Then the military goes a step further, and abuses their secret classification system to cover up security problems, keeping important information even from their own people. They base security decisions on politics. They are more interested in getting a system approved as secure, than in whether it is actually secure. and will lean on people to just rubberstamp systems. They play favorites. They like Windows, because they find it more user friendly, so they push to have it declared secure. Systems they don't like are held up to extremely difficult standards, the better to reject them. They engage in plenty of their own bull to pull that off. For instance, Linux is coded by foreigners, which they deem automatically makes it insecure. How can they know some foreign programmer won't put a back door into the Linux kernel? Never mind that Microsoft might employ Indians to work on Windows. And who's to say that US citizen programmers would never sell out?

They want COTS (Commercial Off The Shelf), to save money, but there is no COTS that meets their needs. They play a funny game with contractors too. Employ people as contractors and treat them with deep suspicion, but won't employ them as their own experts who just might possibly be a touch more committed and loyal.

Was anyone ever able to compromise a correctly configured VMS box? Has anyone broken strong well configured public key encryption? Security is not a big secret, not easy, but good, effective practices are not unknown. So is the question "how do we keep script kiddies off our sharepoint site installed by a neophyte sysadmin"? Really the only valid response is a well quoted "*sigh*".

You can't assume that current public key systems will continue to be secure. Advances in Quantum Computing make that a dubious proposition. There are systems that will work, but they don't depend on prime factorization. (As for what they are, that's beyond the boundaries of my knowledge, but I don't believe they require quantum encryption, merely a system that can't be broken by a quantum computer, and actually, I'm told that they are rather limited in the areas where they have an advantage. (Though app

Any Internet connected system will be compromised at some point in it's design life. The only way to prevent this is to get really important things offline, and keep them off the Internet ( including all of those government networks like Intelink, Siprnet, Nipnet, etc, etc, etc, etc, etc, etc, etc. )

You got it! My uncle is now a security officer in the military. he's a highly skilled Linux Programmer, and knows how to attack the network if he needs/wants to. the only reason he got in the military and is now in security is because he had a 96% accuracy at 300 yards. After all this time, the military still values killing over technical skills. While they should be on equal footing.

If an Iranian Nuclear power plant can be attacked by a virus, which could have caused major damage we are just lucky it didn't, you'd think the military would take a better look at their skill requirements. But they rely on their current ranks, the NSA/FBI/CIA to foot for when they can't make up. (and the majority of their skills are about as good as the Military) we need a skill refresh, its long over due.

I don't think you really know much about the military, or your Uncle is pulling your leg. That's not how the armed forces work in the U.S.

The problem is that they have government contractors reviewing potential solutions. The same people who are incapable of coming up with workable solutions themselves. So what makes anyone think they would know a good solution, even if it bit them in the ass?

DARPA announced a grant program for this last August at Black Hat [eweek.com]. We spent a month crafting an RA for developing a solution based upon formal methods that would change the advantage from the attacker to the defender. Even if we were full of

How to make a network secure, well lets see, enable OpenVPN configure IPSec, make sure everything inter-departmental is using a PKI token and ensure everyone has PGP. Separate various parts of the network after the employees have better things to be doing than browsing facebook or youtube updating their twitter status and reading there hotmail from a government system.
Throw out all those copies of Windows (tm) software their really not doing you any good in a virtual environment or other, is everyone usin